Modem computerized systems all over the world are often threatened by intrusive attacks. Some attacks are targeted at a specific computer or network for a specific purpose, such as causing damage or collecting specific information. Other attacks, however, are more general and are targeted at a wide range of computers, networks and users.
Intrusion detection systems are constantly attempting to detect intrusive attacks and generate alerts whenever an intrusive attack is identified.
Typical intrusion detection systems are signature-based and/or protocol-analysis based. Such systems typically include a subset of: port assignment, port following, protocol tunneling detection, protocol analysis, Transmission Control Protocol (TCP) reassembly, flow assembly, statistical threshold analysis, pattern matching and the like.
Another aspect of protecting computer systems relates to preventing attacks. The optimal goal is of course to prevent the first attack. However, most of the current solutions first identify an attack and only then attempt to prevent it from causing further damage, thus leaving the network vulnerable to the first attack.
Some intrusion prevention systems may block a session or an IP address, if it is determined that the session is a part of an intrusive attack, or when intrusive attacks originate from the certain IP address.
A typical problem associated with intrusion detection and prevention relates to the tradeoff between false negative and false positive alerts and blocking. If the intrusion detection is too strict, it may identify legitimate activities as hazardous, activate prevention measures and disturb the normal work flow of a system, a user, or an organization. Too strict detection and prevention also requires more resources, such as computing time, computing power, storage, and others. Too tolerant detection, on the other hand, may miss malicious attacks and prove ineffective.